From 68f727be9a11f180862d3f8625449d0f145714d0 Mon Sep 17 00:00:00 2001 From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Date: Tue, 17 Aug 2021 16:55:37 -0400 Subject: [PATCH] [Security Solution] ECS 1.11 Signal Mappings (#108764) (#108967) * Update signals mappings to include ECS 1.11 * Ensures no constant_keyword mappings * Bumps index version by 1, since it was already bumped by 10 for 7.15 in #106049 * Remove threat.indicator mappings from signals indices Until the old, 7.14 enrichment mappings (which define threat.indicator as nested) are in our rearview, we cannot add the official, non-nested threat.indicator mappings as they'll conflict. Co-authored-by: Ryland Herrick --- .../get_signals_template.test.ts.snap | 922 +++++++------- .../routes/index/ecs_mapping.json | 1079 ++++++++++++++++- .../routes/index/get_signals_template.ts | 11 +- .../routes/index/other_mappings.json | 993 --------------- 4 files changed, 1572 insertions(+), 1433 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap index fb53550dba769..b93fec8e99ca5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap @@ -14,7 +14,7 @@ Object { "mappings": Object { "_meta": Object { "aliases_version": 1, - "version": 56, + "version": 57, }, "dynamic": false, "properties": Object { @@ -769,7 +769,6 @@ Object { "type": "text", }, }, - "ignore_above": 1024, "index": false, "type": "keyword", }, @@ -785,6 +784,10 @@ Object { "ignore_above": 1024, "type": "keyword", }, + "agent_id_status": Object { + "ignore_above": 1024, + "type": "keyword", + }, "category": Object { "ignore_above": 1024, "type": "keyword", @@ -827,7 +830,6 @@ Object { }, "original": Object { "doc_values": false, - "ignore_above": 1024, "index": false, "type": "keyword", }, @@ -932,6 +934,123 @@ Object { "ignore_above": 1, "type": "keyword", }, + "elf": Object { + "properties": Object { + "architecture": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "byte_order": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "cpu_type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "creation_date": Object { + "type": "date", + }, + "exports": Object { + "type": "flattened", + }, + "header": Object { + "properties": Object { + "abi_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "class": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "data": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "entrypoint": Object { + "type": "long", + }, + "object_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "os_abi": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "imports": Object { + "type": "flattened", + }, + "sections": Object { + "properties": Object { + "chi2": Object { + "type": "long", + }, + "entropy": Object { + "type": "long", + }, + "flags": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "physical_offset": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "physical_size": Object { + "type": "long", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "virtual_address": Object { + "type": "long", + }, + "virtual_size": Object { + "type": "long", + }, + }, + "type": "nested", + }, + "segments": Object { + "properties": Object { + "sections": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + "type": "nested", + }, + "shared_libraries": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "telfhash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, "extension": Object { "ignore_above": 1024, "type": "keyword", @@ -1997,7 +2116,6 @@ Object { }, "original": Object { "doc_values": false, - "ignore_above": 1024, "index": false, "type": "keyword", }, @@ -2547,6 +2665,123 @@ Object { "ignore_above": 1024, "type": "keyword", }, + "elf": Object { + "properties": Object { + "architecture": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "byte_order": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "cpu_type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "creation_date": Object { + "type": "date", + }, + "exports": Object { + "type": "flattened", + }, + "header": Object { + "properties": Object { + "abi_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "class": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "data": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "entrypoint": Object { + "type": "long", + }, + "object_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "os_abi": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "imports": Object { + "type": "flattened", + }, + "sections": Object { + "properties": Object { + "chi2": Object { + "type": "long", + }, + "entropy": Object { + "type": "long", + }, + "flags": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "physical_offset": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "physical_size": Object { + "type": "long", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "virtual_address": Object { + "type": "long", + }, + "virtual_size": Object { + "type": "long", + }, + }, + "type": "nested", + }, + "segments": Object { + "properties": Object { + "sections": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + "type": "nested", + }, + "shared_libraries": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "telfhash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, "entity_id": Object { "ignore_above": 1024, "type": "keyword", @@ -2646,86 +2881,203 @@ Object { "ignore_above": 1024, "type": "keyword", }, - "entity_id": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "executable": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, - }, - "ignore_above": 1024, - "type": "keyword", - }, - "exit_code": Object { - "type": "long", - }, - "hash": Object { - "properties": Object { - "md5": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha1": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha256": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha512": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "ssdeep": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - }, - "name": Object { - "fields": Object { - "text": Object { - "norms": false, - "type": "text", - }, - }, - "ignore_above": 1024, - "type": "keyword", - }, - "pe": Object { + "elf": Object { "properties": Object { "architecture": Object { "ignore_above": 1024, "type": "keyword", }, - "company": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "description": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "file_version": Object { + "byte_order": Object { "ignore_above": 1024, "type": "keyword", }, - "imphash": Object { + "cpu_type": Object { "ignore_above": 1024, "type": "keyword", }, - "original_file_name": Object { - "ignore_above": 1024, - "type": "keyword", + "creation_date": Object { + "type": "date", }, - "product": Object { - "ignore_above": 1024, - "type": "keyword", + "exports": Object { + "type": "flattened", + }, + "header": Object { + "properties": Object { + "abi_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "class": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "data": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "entrypoint": Object { + "type": "long", + }, + "object_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "os_abi": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "imports": Object { + "type": "flattened", + }, + "sections": Object { + "properties": Object { + "chi2": Object { + "type": "long", + }, + "entropy": Object { + "type": "long", + }, + "flags": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "physical_offset": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "physical_size": Object { + "type": "long", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "virtual_address": Object { + "type": "long", + }, + "virtual_size": Object { + "type": "long", + }, + }, + "type": "nested", + }, + "segments": Object { + "properties": Object { + "sections": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + "type": "nested", + }, + "shared_libraries": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "telfhash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "entity_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "executable": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "exit_code": Object { + "type": "long", + }, + "hash": Object { + "properties": Object { + "md5": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha1": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha256": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha512": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ssdeep": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "pe": Object { + "properties": Object { + "architecture": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "company": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "description": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "file_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "imphash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "original_file_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "product": Object { + "ignore_above": 1024, + "type": "keyword", }, }, }, @@ -3809,7 +4161,8 @@ Object { "type": "text", }, }, - "type": "wildcard", + "ignore_above": 1024, + "type": "keyword", }, }, }, @@ -3880,7 +4233,8 @@ Object { "type": "keyword", }, "directory": Object { - "type": "wildcard", + "ignore_above": 1024, + "type": "keyword", }, "drive_letter": Object { "ignore_above": 1, @@ -4045,7 +4399,8 @@ Object { "type": "text", }, }, - "type": "wildcard", + "ignore_above": 1024, + "type": "keyword", }, "size": Object { "type": "long", @@ -4057,7 +4412,8 @@ Object { "type": "text", }, }, - "type": "wildcard", + "ignore_above": 1024, + "type": "keyword", }, "type": Object { "ignore_above": 1024, @@ -4098,7 +4454,8 @@ Object { "type": "geo_point", }, "name": Object { - "type": "wildcard", + "ignore_above": 1024, + "type": "keyword", }, "postal_code": Object { "ignore_above": 1024, @@ -4165,94 +4522,23 @@ Object { "ignore_above": 1024, "type": "keyword", }, - "authentihash": Object { - "ignore_above": 1024, - "type": "keyword", - }, "company": Object { "ignore_above": 1024, "type": "keyword", }, - "compile_timestamp": Object { - "type": "date", - }, - "compiler": Object { - "properties": Object { - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "version": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - }, - "creation_date": Object { - "type": "date", - }, - "debug": Object { - "properties": Object { - "offset": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "size": Object { - "type": "long", - }, - "timestamp": Object { - "type": "date", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - "type": "nested", - }, "description": Object { "ignore_above": 1024, "type": "keyword", }, - "entry_point": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "exports": Object { - "ignore_above": 1024, - "type": "keyword", - }, "file_version": Object { "ignore_above": 1024, "type": "keyword", }, - "icon": Object { - "properties": Object { - "hash": Object { - "properties": Object { - "dhash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - }, - }, - }, "imphash": Object { "ignore_above": 1024, "type": "keyword", }, - "imports": Object { - "type": "flattened", - }, - "machine_type": Object { - "ignore_above": 1024, - "type": "keyword", - }, "original_file_name": Object { - "type": "wildcard", - }, - "packers": Object { "ignore_above": 1024, "type": "keyword", }, @@ -4260,70 +4546,6 @@ Object { "ignore_above": 1024, "type": "keyword", }, - "resources": Object { - "properties": Object { - "chi2": Object { - "type": "long", - }, - "entropy": Object { - "type": "long", - }, - "filetype": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "language": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha256": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - "type": "nested", - }, - "rich_header": Object { - "properties": Object { - "hash": Object { - "properties": Object { - "md5": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - }, - }, - }, - "sections": Object { - "properties": Object { - "chi2": Object { - "type": "long", - }, - "entropy": Object { - "type": "float", - }, - "flags": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "raw_size": Object { - "type": "long", - }, - "virtual_address": Object { - "type": "long", - }, - }, - "type": "nested", - }, }, }, "port": Object { @@ -4346,7 +4568,8 @@ Object { "type": "keyword", }, "strings": Object { - "type": "wildcard", + "ignore_above": 1024, + "type": "keyword", }, "type": Object { "ignore_above": 1024, @@ -4359,10 +4582,12 @@ Object { "type": "keyword", }, "key": Object { - "type": "wildcard", + "ignore_above": 1024, + "type": "keyword", }, "path": Object { - "type": "wildcard", + "ignore_above": 1024, + "type": "keyword", }, "value": Object { "ignore_above": 1024, @@ -4383,7 +4608,8 @@ Object { "url": Object { "properties": Object { "domain": Object { - "type": "wildcard", + "ignore_above": 1024, + "type": "keyword", }, "extension": Object { "ignore_above": 1024, @@ -4400,7 +4626,8 @@ Object { "type": "text", }, }, - "type": "wildcard", + "ignore_above": 1024, + "type": "keyword", }, "original": Object { "fields": Object { @@ -4409,14 +4636,16 @@ Object { "type": "text", }, }, - "type": "wildcard", + "ignore_above": 1024, + "type": "keyword", }, "password": Object { "ignore_above": 1024, "type": "keyword", }, "path": Object { - "type": "wildcard", + "ignore_above": 1024, + "type": "keyword", }, "port": Object { "type": "long", @@ -4426,7 +4655,8 @@ Object { "type": "keyword", }, "registered_domain": Object { - "type": "wildcard", + "ignore_above": 1024, + "type": "keyword", }, "scheme": Object { "ignore_above": 1024, @@ -4463,7 +4693,8 @@ Object { "type": "keyword", }, "distinguished_name": Object { - "type": "wildcard", + "ignore_above": 1024, + "type": "keyword", }, "locality": Object { "ignore_above": 1024, @@ -4524,7 +4755,8 @@ Object { "type": "keyword", }, "distinguished_name": Object { - "type": "wildcard", + "ignore_above": 1024, + "type": "keyword", }, "locality": Object { "ignore_above": 1024, @@ -4577,206 +4809,6 @@ Object { }, }, }, - "pe": Object { - "properties": Object { - "architecture": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "authentihash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "company": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "compile_timestamp": Object { - "type": "date", - }, - "compiler": Object { - "properties": Object { - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "version": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - }, - "creation_date": Object { - "type": "date", - }, - "debug": Object { - "properties": Object { - "offset": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "size": Object { - "type": "long", - }, - "timestamp": Object { - "type": "date", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - "type": "nested", - }, - "description": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "entry_point": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "exports": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "file_version": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "icon": Object { - "properties": Object { - "hash": Object { - "properties": Object { - "dhash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - }, - }, - }, - "imphash": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "imports": Object { - "type": "flattened", - }, - "machine_type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "original_file_name": Object { - "type": "wildcard", - }, - "packers": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "product": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "resources": Object { - "properties": Object { - "chi2": Object { - "type": "long", - }, - "entropy": Object { - "type": "long", - }, - "filetype": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "language": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "sha256": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - "type": "nested", - }, - "rich_header": Object { - "properties": Object { - "hash": Object { - "properties": Object { - "md5": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - }, - }, - }, - "sections": Object { - "properties": Object { - "chi2": Object { - "type": "long", - }, - "entropy": Object { - "type": "float", - }, - "flags": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "name": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "raw_size": Object { - "type": "long", - }, - "virtual_address": Object { - "type": "long", - }, - }, - "type": "nested", - }, - }, - }, - "registry": Object { - "properties": Object { - "data": Object { - "properties": Object { - "bytes": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "strings": Object { - "type": "wildcard", - }, - "type": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - }, - "hive": Object { - "ignore_above": 1024, - "type": "keyword", - }, - "key": Object { - "type": "wildcard", - }, - "path": Object { - "type": "wildcard", - }, - "value": Object { - "ignore_above": 1024, - "type": "keyword", - }, - }, - }, }, "type": "nested", }, @@ -4784,6 +4816,50 @@ Object { "ignore_above": 1024, "type": "keyword", }, + "group": Object { + "properties": Object { + "alias": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "software": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "platforms": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, "tactic": Object { "properties": Object { "id": Object { @@ -5684,6 +5760,6 @@ Object { }, }, }, - "version": 56, + "version": 57, } `; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/ecs_mapping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/ecs_mapping.json index 3d24384680f57..ea4dfb80c1564 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/ecs_mapping.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/ecs_mapping.json @@ -2,7 +2,7 @@ "index_patterns": ["try-ecs-*"], "mappings": { "_meta": { - "version": "1.10.0" + "version": "1.11.0" }, "date_detection": false, "dynamic_templates": [ @@ -726,7 +726,6 @@ "type": "text" } }, - "ignore_above": 1024, "index": false, "type": "keyword" }, @@ -742,6 +741,10 @@ "ignore_above": 1024, "type": "keyword" }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, "category": { "ignore_above": 1024, "type": "keyword" @@ -784,7 +787,6 @@ }, "original": { "doc_values": false, - "ignore_above": 1024, "index": false, "type": "keyword" }, @@ -889,6 +891,123 @@ "ignore_above": 1, "type": "keyword" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "extension": { "ignore_above": 1024, "type": "keyword" @@ -1495,7 +1614,6 @@ }, "original": { "doc_values": false, - "ignore_above": 1024, "index": false, "type": "keyword" }, @@ -1981,6 +2099,123 @@ "ignore_above": 1024, "type": "keyword" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "entity_id": { "ignore_above": 1024, "type": "keyword" @@ -2080,6 +2315,123 @@ "ignore_above": 1024, "type": "keyword" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "entity_id": { "ignore_above": 1024, "type": "keyword" @@ -2796,9 +3148,722 @@ }, "threat": { "properties": { - "framework": { - "ignore_above": 1024, - "type": "keyword" + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "software": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } }, "tactic": { "properties": { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts index d1a369d571d06..38a3612e5861d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts @@ -29,7 +29,7 @@ import aadFieldConversion from './signal_aad_mapping.json'; incremented by 10 in order to add "room" for the aforementioned patch release */ -export const SIGNALS_TEMPLATE_VERSION = 56; +export const SIGNALS_TEMPLATE_VERSION = 57; /** @constant @type {number} @@ -74,15 +74,6 @@ export const getSignalsTemplate = (index: string, spaceId: string, aadIndexAlias ...fieldAliases, ...getRbacRequiredFields(spaceId), signal: signalsMapping.mappings.properties.signal, - threat: { - ...ecsMapping.mappings.properties.threat, - properties: { - ...ecsMapping.mappings.properties.threat.properties, - enrichments: { - ...otherMapping.mappings.properties.threat.properties.enrichments, - }, - }, - }, }, _meta: { version: SIGNALS_TEMPLATE_VERSION, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/other_mappings.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/other_mappings.json index 3b1ae9a9caa54..b61ad2e43ac03 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/other_mappings.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/other_mappings.json @@ -178,999 +178,6 @@ } } }, - "threat": { - "properties": { - "enrichments": { - "properties": { - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "type": "wildcard" - } - } - } - } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "type": "wildcard" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "imports": { - "type": "flattened" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "type": "wildcard" - }, - "size": { - "type": "long" - }, - "target_path": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "type": "wildcard" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "wildcard" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentihash": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "creation_date": { - "type": "date" - }, - "debug": { - "properties": { - "offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "exports": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "icon": { - "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flattened" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "type": "wildcard" - }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "resources": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "filetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "rich_header": { - "properties": { - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "float" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_size": { - "type": "long" - }, - "virtual_address": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "type": "wildcard" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "type": "wildcard" - }, - "path": { - "type": "wildcard" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "type": "wildcard" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "type": "wildcard" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "type": "wildcard" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "type": "wildcard" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "type": "wildcard" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "type": "wildcard" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "type": "wildcard" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentihash": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "creation_date": { - "type": "date" - }, - "debug": { - "properties": { - "offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "exports": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "icon": { - "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flattened" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "type": "wildcard" - }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "resources": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "filetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "rich_header": { - "properties": { - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "float" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_size": { - "type": "long" - }, - "virtual_address": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "type": "wildcard" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "type": "wildcard" - }, - "path": { - "type": "wildcard" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "nested" - } - } - }, "vlan": { "properties": { "id": {